19.1.  General

19.1.1.  Without prejudice to the specific requirements noted in this clause 19, each party shall comply with the requirements of the DPA and any equivalent or associated Legislation in relation to the provision of the Services and will not knowingly do anything or permit anything to be done which might lead to a breach by the other party of the DPA.

19.1.2.  In relation to all Personal Data, the Service Provider shall at all times comply with the DPA, if necessary, including maintaining a valid and up to date registration or notification under the DPA covering the data processing to be performed in connection with the Services.

19.1.3.  The Service Provider and any Sub-Contractor shall only undertake processing of Personal Data reasonably required in connection with the Services.

19.1.4.  All processing of Personal Data undertaken by the Service Provider in accordance with this Agreement shall at all times comply with the eight Data Protection Principles under the DPA in accordance with the interpretation or view of the Authority from time to time notified in writing to the Service Provider.  In particular, the Service Provider shall:

a)  ensure that, subject to any exemption under the DPA, all processing of Personal Data is done fairly and lawfully;

b)  ensure that Personal Data processed for the purposes of this Agreement is not used for any other purpose or provision by or on behalf of the Service Provider;

c)  ensure that all Personal Data processed for the purposes of this Agreement is no more than is necessary for the purposes of the Services;

d)  ensure that checks are undertaken to ensure accuracy of the Personal Data maintained for the purposes of the Services;

e)  ensure that Personal Data maintained for the purposes of the Services is not kept for any longer than is necessary, in accordance with guidelines which shall be provided from time to time by the Authority;

f)  ensure that it is fully able to comply with all of the rights of Data Subjects under the DPA, including the ability to comply with Data Subject access requests within the statutory maximum period, whether such requests are received by the Service Provider or by the Authority.  If such requests are received by the Authority, they will be forwarded to the Service Provider promptly.  The Service Provider shall notify the Authority of all notices received from Data Subject, which appear to or purport to exercise that person's rights under the DPA, promptly;

g)  bring into effect and maintain technical and organisational measures to prevent unauthorised or unlawful processing of Personal Data and accidental loss or destruction of, or damage to, Personal Data including but not limited to taking reasonable steps to ensure the reliability of staff having access to the Personal Data, in particular, with regard to sensitive personal data as defined in the DPA;

h)  comply with the provisions of BS7799 or equivalent European standard; and

i)  not transfer any Personal Data to any country or territory outside the EEA without the express written consent of the Authority.

19.1.5.  All employees of all Sub-Contractors and the Service Provider who have access to Personal Data for the purposes of this Agreement shall be trained in data protection to accord with the requirements of this Agreement.

19.1.6.  Without prejudice to the Service Provider's general obligations to provide data and information to the Authority on request, the Authority shall be entitled to request, and the Service Provider shall provide within a reasonable time, employment and relevant personal information in relation to the Service Provider's employees or any Sub-Contractor's employees for the purposes of anti-fraud measures such as data matching.  The Service Provider shall ensure that it takes any measures necessary pursuant to the DPA and any other relevant Legislation to facilitate such disclosure lawfully and fairly.